Sr GRC Engineer (Contract to hire)

This role is fully remote from any state except NY, NJ, or CA. We are seeking a Governance, Risk & Compliance (GRC) Analyst to support and mature the organization’s cybersecurity, compliance, and risk management initiatives. This individual will operate with moderate independence and will be expected to take ownership of assigned GRC initiatives while serving as a trusted adviser to both technical and business stakeholders. The ideal candidate will possess a strong foundation in information security governance, risk management, compliance operations, and policy administration, combined with the communication skills and professional maturity necessary to work effectively across all levels of the organization. This role will partner closely with IT, Engineering, Security Operations, and business leadership to ensure effective implementation and ongoing maintenance of security controls, compliance requirements, and business continuity processes.

Key Responsibilities

Risk Management

• Lead risk assessments and risk mitigation planning initiatives as assigned.
• Review submitted risk exceptions and known risks in partnership with technical teams.
• Recommend operational or technical solutions to avoid, reduce, or mitigate identified risks.
• Conduct control testing and internal audits to validate that risk mitigation measures are functioning effectively.

Policy Development & Governance

• Own and manage the lifecycle of assigned security and compliance policies.
• Coordinate annual policy reviews with stakeholders across IT Support, Engineering, Security, and Senior Leadership.
• Draft, revise, and maintain policies, standards, and procedures in response to evolving business services, regulatory requirements, and audit expectations.
• Interpret control activities, standards, and governance requirements to support operational implementation.

Audit Management

• Serve as a primary liaison for external auditors and internal audit engagements.
• Prepare audit evidence, documentation, and responses.
• Coordinate and track remediation activities resulting from audit findings or compliance gaps.

Compliance Maintenance Lead ongoing compliance monitoring activities, including:

• Quarterly and administrative access reviews
• Participation in change management processes to ensure policy compliance
• Review and approval of data device disposal requests
• Validation of compliance with internal standards and regulatory requirements

Business Impact Analysis (BIA)

• Conduct Business Impact Analyses for assigned critical business processes.
• Identify supporting systems, applications, and third-party vendors associated with critical operations.
• Assess financial, reputational, operational, and regulatory impacts associated with service disruption.
• Evaluate existing continuity and recovery capabilities and document identified gaps.

Business Continuity Planning (BCP)

• Draft, maintain, and periodically review business continuity plans in coordination with business process owners and executive sponsors.
• Support continuity testing exercises and remediation planning in alignment with Business Continuity Policy requirements.

Vendor Risk Management

• Lead vendor security assessments and ongoing due diligence activities.
• Ensure vendors meet security and compliance expectations according to risk-based classifications.
• Identify situations requiring enhanced architectural, technical, or security review.

Data Governance & Privacy

• Support data governance and privacy compliance initiatives.
• Maintain inventories and mapping of sensitive or regulated data, including Protected Health Information (PHI) where applicable.
• Document data collection, usage, storage, and protection controls.
• Participate in privacy impact assessments and compliance reviews.

Qualifications

Required Experience

• 5–10 years of experience in Governance, Risk & Compliance, Information Security, Audit, or related cybersecurity functions.
• Experience supporting compliance frameworks, internal controls, audits, and risk management programs.
• Ability to work independently and manage multiple concurrent initiatives.
• Strong written and verbal communication skills with the ability to interact effectively with technical teams and business leadership.
• Experience interpreting policies, standards, and security controls for operational implementation.

Preferred Technical & Functional Experience

• Security governance and policy management
• Risk assessments and remediation planning
• Audit coordination and evidence collection
• Business continuity and disaster recovery planning
• Vendor risk management
• Access reviews and compliance operations
• Data privacy and governance initiatives
• Familiarity with security and compliance frameworks such as ISO 27001, NIST, SOC 2, HIPAA, or similar standards

Preferred Certifications The following certifications are highly valued:

• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Security Manager (CISM)
• ISO 27001 Lead Implementer and/or Lead Auditor
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Professional (CIPP)
• Ongoing pursuit or attainment of CISSP certification

Additional Information

• This position requires strong organizational skills, sound judgment, and the ability to balance compliance rigor with practical business operations.
• The successful candidate will be expected to operate proactively, contribute ideas for process improvement, and function as a key partner within the broader cybersecurity organization.

Apply To This Job